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MINIMUM COMUSEC STANDARDS 

— A Phased APtTOCH 


Q Step 1 ; Setting of Initial Limiting Conditions (Completed November 1983) 


- SCI information systems only 

__ 13 critical SCI information systems, initially 

- Security upgrades to existing operational SCI information 
systems 


Reducing or eliminating areas of greatest vulne rability 


Inadeguate access and authentication controls 

-- Inadeguate system accountability, e.g., auditing, 
transactional analysis, monitoring, etc. 

— Inadeguate dissemination and security labeling controls 

and management 

- Security upgrades achievable in the 1985-1986 timeframe by use 
of market available products/services, by introduction of in- 
house procedures, and controls or by additional personnel 
resources (implies approval of needed funding) 
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0 Step 2 : Iderttification of Minimum SAFEGUARDS 


- The term "SAFEGUARDS" is used to specify a candidate set 
of COMPUSEC STANDARDS. In this sense, a "STANDARD" has an 
accepted formal meaning: a "SAFEGUARD," on the other hand is 
used as an informal designation of a definable security 
upgrade 

- 41 SAFEGUARDS were derived in the limited context of Step 1 , 
i.e., for achieving of needed security upgrades for the three 
areas of greatest vulnerability of the selected 13 critical 
SCI information systems. 

(Completed October 1983) 

- The 41 Minimum SAFEGUARDS initially identified by October 1983 
will be reduced to those achievable in the 1985-1986 timeframe 
to meet one of the specified limiting conditions of Step 1 . 
These 1985-1986 Minimum SAFEGUARDS will probably number about 
20 . 

(To be completed March 1983) 
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Step 3 : Recommendation of Candidate List of 1985 Minimum CQMPUSEC Standards 

- The 1985 Candidate Minimum COMPUSEC Standards will be selected 
from the approximately 20 1985-1986 Minimum SAFEGUARDS and will 
be those aimed directly at alleviating the three most serious 
vulnerabilities identified in Step 1 and present in the 13 
critical SCI information systems. 

- The 1985 Candidate Minimum COMPUSEC Standards will be separated 
into: 

— 1) Mandatory COMPUSEC Standards 

— 2) Voluntary COMPUSEC Standards 

Only those standards which can be implemented, i.e., to which 
resources have been allocated can be proscribed as mandatory . 

All other standards will be designated voluntary . 

(To be completed July 1984) 

Step 4 : Establishing a COMPUSEC Standards Compliance and Coordination 
Process 


- This Step 4 proceeds in parallel with Steps 2, 3, 5 and 6. 
The first components of the process are needed to handle 
the promulgation of the candidate mandatory standards for 
comment by affected US Government and industry organizations 
(Step 5). 
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- DOD has a standards program formalized by regulation. 

The IC has no such formalized standards program. Since SCI 
COMPUSEC Standards must be set by the DCI so as to adequately 
provide for protection of sources, methods and intelligence 
content, an IC or NFIB COMPUSEC compliance and coordination 
process is needed to interface with or augment the DOD 
Standards Program. 

0 Step 5 : Promulgation for Comment of Candidate 1985 Mandatory COMPUSEC 
Standards by the DCI/DDCI 

- Candidate standards, both mandatory and voluntary, may be 
established by consensus or edict. Consensus is more common 
for US Government standards with the possible exception of 
National Security-related standards. 

- General types of standards anticipated for COMPUSEC include: 

— 1) Documentation Standards 

— 2) Performance Standards 

— 3) Interface Standards 

— 4) Protocol Standards 

— 5) Data Standards 

— 6) Software Program Standards 

— 7) Equipment Standards 
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- Industry is particularly concerned with standards that lead 
to potential sole-source situations. 

- Promulgation of candidate standards is always preceded by 
difficult decisions relative to issues resulting from con- 
siderations such as those just described. 

(To be initiated September 1984) 

0 Step 6 ; Issuance of the First 1985 Mandatory and Voluntary COMPliSEC 

Standards by the DCI/DDCl 

- This step assumes an in-place standards compliance and 
coordination process. 

(To be initiated October 1984) 
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MINIMUM COMPUSEC STANDARDS 

A Phased approacf 

DIAGRAMMED 


Nov 1983 


Oct 1983 
Mar 1984 


Step 1: Setting of Initial 

Limiting Conditions 

Step 2; Identification of 

Minimum SAFEGUARDS 

Part 1: First identification 
of 41 SAFEGUARDS 

Part 2: Delineation of a 1985- 
1986 Set of Minimum 
' SAFEGUARDS 


Jan. 1984 ^ 




Jul 1984 Step 3: Recommendation of a 

Candidate List of 1983 
Minimum COMPUSEC 
Standards 

Seo 1984 Step 5: Promulgation for Comment 

of Candidate 1985 
Mandatory Standards 



Oct 1984 Step 6: Issuance of First 

1985 Mandatory and 
Voluntary COMPUSEC 
Standards 


Oct 1984 


4: Establishing a 
" COMPUSEC Standards 
Compliance and 
Coordination Process 
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